BlackBerry not as secure as believed, memo warns federal workers

BlackBerry: Messages not secure, memo warns federal workers

OTTAWA • The federal department charged with overseeing cyber-security has warned its workers to think twice before sending a BlackBerry message, suggesting that the device believed to be the most secure in the world is more vulnerable than users may believe.

The one-page policy memo from Public Safety Canada, updated in mid-January, attempts to dissuade government BlackBerry users from sending a PIN-to-PIN message largely because it could be read by any BlackBerry user, anywhere in the world. The messages are “the most vulnerable method of communicating on a BlackBerry,” a Public Safety Canada presentation says.

The U.S. Defense Department said today it plans to open its networks by next February to about 100,000 mobile phones and tablet computers from companies such as Apple Inc. and Google Inc.

The move may pose a threat to BlackBerry, the Pentagon’s biggest supplier of smartphones. The Waterloo, Ontario-based company has lost market share to competitors and seeks to make a comeback with its new BlackBerry 10 phone. The device will go on sale in the U.S. next month.

The documents, released to Postmedia News under the Access To Information Act, say PIN-to-PIN messaging isn’t “suitable for exchanging sensitive messages” because protected or classified information could be inadvertently leaked, or a mobile user could inadvertently download malware or viruses that would compromise their phone.

Almost two-thirds of federal government mobile users in Canada prefer to use the BlackBerry, with the remaining one-third using either Apple’s iPhone or Google’s Android. The concentration of BlackBerry users is even more pronounced among federal politicians, with most cabinet ministers opting to use the BlackBerry. NDP Leader Thomas Mulcair has said he carries an extra BlackBerry battery to keep his mobile device from dying during the day.

Political staffers use the device as well, regularly sending PIN-to-PIN messages and emails as government business has progressively migrated to mobile devices.

“Although PIN-to-PIN messages are encrypted, the key used is a global cryptographic ‘key’ that is common to every BlackBerry device all over the world,” the memo reads. “Any BlackBerry device can potentially decrypt all PIN-to-PIN messages sent by any other BlackBerry device.”

Related

The PIN, or Personal Identification Number, is an electronic address given to a particular device. When a user turns in the device, the PIN stays with the device and doesn’t follow the user to a new BlackBerry. Any BlackBerry the government decides to reuse therefore “may expose information to compromise,” the memo reads, because messages may be sent to the wrong person.

There is also the threat that sending messages outside government firewalls and security filters could lead to a user opening a virus attached with a PIN message.

“PIN-to-PIN messaging bypasses all corporate e-mail security filters, and thus users may become vulnerable to viruses and malware code as well as spam messages if their PIN becomes known to unauthorized third parties,” the memo warns.

The document is one among others released to Postmedia News, all of which continually press the point that protecting information must be a priority for the department. It also shows how far the department goes in tracking sensitive information on portable data devices, with devices colour-coded so workers know what types of sensitive, protected or secret information are on devices and can follow protocols for wiping information from devices, or destroying them entirely.

A security briefing for new staff underlines the point that classified information should always be locked in a container approved by the RCMP, and that guards patrolling departmental buildings who find protected or classified documents out in the open or unlocked will place the records in a locked safe overnight and issue an infraction notice to the employee.

The rules at Public Safety Canada are similar to those for other departments, including Human Resources and Skills Development Canada, which is continuing to investigate two major data breaches, each almost four months old. In those breaches, personal information about more than 588,000 Canadians was lost, information categorized as “protected B” — so labelled because its loss could be cause “serious injury” to an individual.

Public Safety Canada’s records and activities are “among [the] most sensitive in government,” according to a security presentation, and the “potential for controversy is high.” A bullet point on one of the presentation slides says that “public confidence in the minister and [department] depends to a great extent on how well information is protected at all levels.”

Among the security suggestions in the presentation is this about mobile devices: “Cellular telephones/BlackBerrys/PDAs are not secure and are frequently monitored by amateurs and professionals alike.” The very next bullet point says that PIN-to-PIN messaging “is the most vulnerable method of communicating on a BlackBerry” because “messages can be easily intercepted.”

According to figures obtained by Postmedia News, in a one-year span, the number of government-issued BlackBerrys increased by 14.5 per cent, to almost 90,000 in August 2012 from 78,000 in September 2011. The cost to government to use those devices domestically is more than $2 million per month.

Almost Done!

Postmedia wants to improve your reading experience as well as share the best deals and promotions from our advertisers with you. The information below will be used to optimize the content and make ads across the network more relevant to you. You can always change the information you share with us by editing your profile.

By clicking "Create Account", I hearby grant permission to Postmedia to use my account information to create my account.

I also accept and agree to be bound by Postmedia's Terms and Conditions with respect to my use of the Site and I have read and understand Postmedia's Privacy Statement. I consent to the collection, use, maintenance, and disclosure of my information in accordance with the Postmedia's Privacy Policy.

Postmedia wants to improve your reading experience as well as share the best deals and promotions from our advertisers with you. The information below will be used to optimize the content and make ads across the network more relevant to you. You can always change the information you share with us by editing your profile.

By clicking "Create Account", I hearby grant permission to Postmedia to use my account information to create my account.

I also accept and agree to be bound by Postmedia's Terms and Conditions with respect to my use of the Site and I have read and understand Postmedia's Privacy Statement. I consent to the collection, use, maintenance, and disclosure of my information in accordance with the Postmedia's Privacy Policy.